In this issue

A new version of the stable branch of Apache, 1.2.5, has been
released. This incorporates some bug fixes following an
internal security code review, and also fixes a possible
"denial of service" attack. The security problems found are
not particularly serious. Many would be very difficult
to exploit, and even those which are potentially exploitable
at worst give access to the server user (not root). As far as
is know, none of these problems were being exploited, and
many of this would be very difficult to use. These fixes will
also be in the next beta of 1.3.

The 'Beck' Denial of Service Attack

A denial of service attack has posted in a message on the
BUGTRAQ list. This message also includes a script called
"beck" to perform the attack.

Apache, like all network services, is vulnerable to attacks
based on repeated requests. By sending requests rapidly to
the server, the server's load will increase in proportion to
the number of requests being made. This is difficult to guard
against because the server cannot know whether the repeated
requests are valid or not. Normally the load caused by
repeated requests will be roughly linear to the number or
rate of requests, at least until the server nears hard
resource limits. And normally as soon as the attacker stops
sending requests the load at the server will start to
decrease. The "beck" author found a problem with Apache which
caused the load to increase exponentially, and could stay
high even after the attack stopped.

The problem in Apache that this potential attack highlights
was the way that Apache processes requests with slash (/)
characters in them. When Apache receives requests with /'s in
them, it has to parse the request line to identify the path
components, and to ensure that the user is not trying to
evade directory restrictions by using multiple slash
characters in a row. The problem was that the amount of
processing that Apache does on a request did not increase
linearly with the number of slashes in the request, instead
it increased exponentially. So for a line containing ten /'s
Apache did 100 times as much processing as for a line
containing one /. It should have only done ten times as much.
When requests contained very large numbers of slashes Apache
would do a huge amount of CPU intensive processing. This is
fixed in 1.2.5 and the next 1.3 beta.

Security Code Review

The Apache code was already being reviewed for "buffer
overrun" type security problems when the "beck" attack was
announced. The review is part of the ongoing process to try
and ensure that Apache is as secure as possible.

Apache is very careful to try and ensure that things like
buffer overruns do not occur. For example, when copying
strings of possibly unknown length, Apache always specifies a
maximum string length to copy. This is to try and prevent
attacks which involve sending overlong data to a server,
which will overwrite a code area. Potentially an attacker may
be able to use this mechanism to write executable data into
the code area, then get their code executed.

The code has been updated in previous reviews to try to
eliminate buffer overruns, however recently some minor
problems were found in two modules in particular: the
imagemap module (mod_imap) and the server-side include module
(mod_ssi). So a review was performed to analyse both of these
modules - as well as the rest of the code - for remaining
buffer overrun type bugs. The result of the code review is
Apache 1.2.5.

Of course it is never possible to say with absolute certainty
that there are no more buffer overrun bugs, but Apache is
widely and carefully reviewed by the developers. The
availablity of source code gives anyone concerned with
security the ability the check the code for themselves, and
provides an open review process. The CHANGES file in Apache
1.2.5 and the security advisory both list the bugs found in
detail to keep all users informed.

For the first time, Apache's share of the Netcraft Internet
server survey
has exceeded 50%. This means it is now used on more internet
sites that all other servers combined. The proportion of
sites using Apache or a known derivative of Apache is 50.24%,
up from 49.90% last month. The proportion of sites running a
Microsoft server is 21.51% and Netscape 10.24%. After this
news, the Apache developers issued a press
release.

Apache 1.2.5 is the current stable release. Users of Apache
1.2.4 and earlier should upgrade to this version. The next
release will be 1.3. A beta test release of 1.3 is available
now for both Unix and Windows 95/NT systems.

Bugs fixed in 1.3b4

These bugs have been found and fixed in 1.3b4.

Because of the major differences between Windows and Unix,
these are separated into bugs which affect Windows systems
only, and other bugs (which may affect Windows as well). Unix
users can ignore the bugs listed in the Windows section.

Windows-specific Bugs

ISAPI extensions would crash if called from a "release"
compilation of Apache. This seems to be due to a bug in the
Visual C++ optimiser. The work-around implemented in Apache
is to turn off the optimisation for one function. The rest
of Apache is still fully optimised.

The multithreading code in Apache has been overhauled to
make it work better and to be easier to maintain. Shutdowns
are now "graceful", which means that connections in
progress are not immediately dropped.

When running a CGI program, Apache could try to run an
executable program as a script. It now checks for
executables the proper way, by looking for the special
signature that occurs at the start of all executables.

Other Bugs

Microsoft Internet Explorer 4 might report "Could not
complete operation due to error 800c0008". This was caused
by a bug in Apache when sending out data in "chunked"
format, as defined in HTTP/1.1. It only affects modules
which send data a character at a time (using the
rputc() API function call). Most modules
included with Apache do not use this call, but some third
party modules do. This error was typically seen on pages
served by PHP. This bug also affects 1.2.5.

Related to the above bug, the sending of documents which
are fed a character at a time from modules has been made
much more efficient.

Incorrect syntax in SSI commands could cause the wrong
error message (or no error message at all) to be logged.

An AddIconByType directive without a trailing
) would not log an error

The Apache API function ap_snprintf() when
given a length parameter of 0 would assume the destination
string was unlimited. It now does not write anything to the
destination buffer.

The calculation of the total number of bytes sent may be
wrong.

Proxy authentication using digest authentication does not
work

Internal structures based on "tables" (such as lists of
headers and environment variables) may not work correctly
when there are two entries with the same key value.

If the argument to AuthName included
double-quotes, Apache would send an invalid header to the
client. From the next release, the argument to
AuthName will be treated like other directive
arguments - in particular, if it contains spaces it must be
enclosed in double quotes.

The CGI environment variable REQUEST_URI was
not being passed on to scripts invoked via suEXEC.

Patches for bugs in Apache 1.2.5 may be made available in the
apply
to 1.2.5 directory on the Apache site. Some new features
and other unofficial patches are available in the 1.2
patches directory. For details of all previously reported
bugs, see the Apache bug database and
known
bugs pages. Also many common configuration questions are
answered in the Apache FAQ.

Development has slowed down to prepare for the release of
Apache 1.3. During the beta release cycle Apache is in a
"feature freeze" where no new features will be added. The
only changes from now on will be bug-fixes.

New Perl Log Resolver

A program to convert IP address in log files into host names
will be available with the next beta release. There is
already a C program to do this, called logresolve.c, in the
src/support directory. The new program does
essentially the same thing, but is written in perl and
designed to be fast and efficient. It will be available in
src/support/logresolve.pl.

API Adds an Apache Utility Library

A new library has been created during the build process,
containing various utility functions. Most of these functions
are available to modules via the Apache module API. In
addition, support programs will be able to link against this
library to get access to these functions. This library is
stored in the ap sub-directory of
src, and is called libap.

On a different subject, Internet World report that
At Last: Apache Runs on Windows (Dec 24). They report on
the recent Apache 1.3 beta for NT, in source code format.
Unlike most NT reviews, they were happy to compile from
source and install from the command line, although they did
note the lack of a graphic administration interface.